***disclaimer*** I’m not a lawyer and what follows is my understanding of GDPR. It’s up to you to check it out fully and I’ve included some links to help you with that.
Yay! A new regulation (said nobody, ever)
This week I’m going to look at this new regulation and how it affects you.
This is the official website to explain it all to you:
Don’t want to read all that? Well, let’s try and figure it out…
What is it?
Remember the Data Protection Act? Well, this replaces it. It comes into force on 25th May 2018 and is all about how an individual’s personal data is dealt with and stored.
Do I need to do anything?
Probably. Let’s take a look at the GDPR definition of personal data:
“The GDPR applies to ‘personal data’, meaning any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier.”
As a website owner, you’re bound to have a contact form for enquiries. That would be personal data. You need to clearly define what you do and how you use that data.
What do I need to do?
You need to look at what you do with the personal data you receive and then write up a privacy policy explaining:
- Who you are and how you can be contacted
- Why you need the data
- Who will have access to the data
- How long you’re keeping the data
- How someone should request removal of any of their data that you hold
- How, in the event of a hack or security breach, you will notify the person
This website provides a great privacy policy generator for your website and allows you to customise the policy based on what external services you use. You will need to review and make some grammatical changes to the output from this!
You need to get explicit and clear consent to collect the data in the first place via an opt-in (you can’t use a negative “tick if you don’t want to” type box). You also can’t have the “yes, I agree to this” type box ticked by default.
OMG, What should I do?
Don’t panic! This is the point to look at how you deal with peoples’ personal data.
Your contact/enquiry form – All those questions and tick boxes you’ve got on there… do you really need all of that information? Take a look at how you can just request the bare minimum of information to be able to move forward. This will probably have the bonus of also helping your contact rate, as people hate filling in long contact/enquiry forms.
Think about how you get, use and store personal data, then write up a privacy policy that explains this. Add this privacy policy to your website as a link and follow the procedures you’ve documented.
Insert a paragraph that explains that by filling in the contact form they are giving consent. Plus, perhaps an unchecked tick box to indicate they give their explicit and clear consent for you to use the data to contact them.
Think about how you store peoples’ personal data. Do you store it on a computer or on your phone? Do you take reasonable steps to keep it secure? Is it password protected. When do you delete it or does it stay wherever forever? A lot of this is going to involve you looking at what you do with the data. Security of data is a whole area in itself, but follow best practice regarding passwords and encryption.
What about my mailing list?
If you collect data and add people to a mailing list, then you need to make sure people understand that that is what you are going to do and how they can get their data removed. The easiest way to do this is to use one of the many mail list products like MailChimp and make sure you follow all of the advice on set up. You must get explicit and clear consent to do this.
What about Facebook?
Your privacy policy should include details of how you use the personal data you gather. So, if you gathered personal data and exported it to Facebook for tailored targeting, you’d need to explain this. A link to Facebook’s privacy policy would be advised if you use this service. This applies to any 3rd party service you use.
What about clients already on my mailing list?
You’ve probably been getting loads of emails recently from companies where you’ve signed up to email newsletters etc in the past – well, that’s because of GDPR. You need to do the same and contact each person on your list to get explicit and clear consent to continue.
So the upshot is…
Basically, to make your site GDPR compliant, it boils down to making sure you’re transparent with people. Let them know what you’re doing with their personal data, don’t ask for extraneous information, and let them opt-in to giving it to you, rather than you taking it by default.
There are mentions of huge fines (up to 20 million euros!) if you’re not found to be complying with the regulation and “I didn’t know” is not an excuse. Show that you’re striving to be compliant and you should be ok, but don’t bury your head in the sand and ignore it.
Further reading:
https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/
Well, that’s it until next week.
If you have anything you’d like me to explain in a blog, drop me an email.
Best wishes
We build WordPress websites primarily for local businesses in the Oxfordshire area. If you’d like to get in touch to see how I can help your business to get online or improve its online presence, then drop me an email: mail@webseoassist.co.uk
Recent Comments